华为ME60对接WiFi认证平台实现多种认证

2019-02-24T10:13:00


外部第三方PORTAL认证系统对接华为ME60实现无线wifi微信认证、短信认证和访客认证应用

1.网络开局配置:在不配置portal认证情况下,用户连上无线能正常上网。
2.portal服务器部署:不开认证情况下用户、me60可以正常互访portal服务器。
3.网络环境为Portal在公网,me60在公网,采用公网对接
4.me60相关配置

第三方PORTAL认证系统配置


华为ME60配置命令参考

HUAWEI>dis cu
#
sysname HUAWEI
#
info-center source DS channel 0 log state off  trap state off
#
router id 172.17.252.251
#
vlan batch 300
#
user-group pre-wifi
user-group wifi
user-group pre-ap
user-group ap
#
snmp-agent trap type entity-trap
#
diffserv domain default
diffserv domain 5p3dbas
diffserv domain 5p3d
#
qos-profile 1m_ap
car cir 1024 pir 1030 cbs 12800 pbs 12800 green pass yellow pass red discard inbound
car cir 1024 pir 1030 cbs 12800 pbs 12800 green pass yellow pass red discard outbound
#                                         
nat instance xjnat
add slot 3 master
nat address-group Nat 111.111.111.111 111.111.111.112
nat outbound 3001 address-group Nat
nat instance Nat
#
radius-server group wifi
radius-server authentication 114.215.153.108 1812 weight 0
radius-server accounting 114.215.153.108 1813 weight 0
radius-server shared-key hello
radius-server retransmit 5 timeout 3
radius-server class-as-car
radius-server source interface GigabitEthernet2/0/7
undo radius-server user-name domain-included
radius-server traffic-unit kbyte
#
radius-server group portal
radius-server authentication 114.215.153.108 1812 weight 0
radius-server accounting 114.215.153.108 1813 weight 0
radius-server shared-key hello
radius-server retransmit 5 timeout 3
radius-server class-as-car
radius-server source interface GigabitEthernet2/0/7.60
undo radius-server user-name domain-included
radius-server traffic-unit kbyte
#
#
radius-server authorization 114.215.153.108 shared-key hello
radius-server authorization 114.215.153.108 shared-key hello
#
#
acl number 3001
rule 5 permit ip source 10.1.0.0 0.0.255.255
rule 10 permit ip source 172.20.0.0 0.0.255.255
rule 15 permit ip source 172.30.0.0 0.0.255.255
#
acl number 6000
rule 5 permit ip source user-group wifi
rule 10 permit ip source user-group ap
#
acl number 6001
description For DNS-permit
rule 5 permit ip source user-group pre-ap destination ip-address 112.112.112.112
rule 10 permit ip source user-group pre-ap destination ip-address 112.112.112.113
rule 17 permit ip source user-group pre-ap destination ip-address 112.112.112.114
rule 18 permit ip source user-group pre-ap destination ip-address 112.112.112.115
rule 21 permit ip source ip-address 112.112.112.112  destination user-group pre-ap
rule 26 permit ip source ip-address 112.112.112.113  destination user-group pre-ap
rule 31 permit ip source ip-address 112.112.112.114 0  destination user-group pre-ap
rule 36 permit ip source ip-address 112.112.112.115 0  destination user-group pre-ap
#
acl number 6102
description FOR->Limit-Web
rule 5 permit tcp source user-group pre-ap destination-port eq www
rule 10 permit tcp source user-group pre-ap destination-port eq 8080
rule 15 permit tcp source user-group pre-ap destination ip-address any
rule 20 permit udp source user-group pre-ap
#
acl number 6103
rule 5 permit ip source user-group pre-ap destination ip-address 114.215.153.108 0
rule 10 permit ip source ip-address 114.215.153.108 0  destination user-group pre-ap
rule 15 permit ip source user-group pre-ap destination ip-address 172.20.254.254 0
rule 20 permit ip source ip-address 172.20.254.254 0  destination user-group pre-ap
rule 25 permit ip source user-group pre-ap destination ip-address 172.17.253.142 0
rule 30 permit ip source ip-address 172.20.253.142 0  destination user-group pre-ap
rule 35 permit ip source user-group pre-ap destination ip-address 172.17.253.141 0
rule 40 permit ip source ip-address 172.20.253.141 0  destination user-group pre-ap
#
traffic classifier pre-ap-deny operator or
if-match acl 6102
traffic classifier portal operator or
if-match acl 6103
traffic classifier permit operator or
if-match acl 6000
if-match acl 6001
#
traffic behavior pre-ap-deny
http-redirect
traffic behavior portal
traffic behavior permit
nat bind instance xjnat
#
traffic policy xijing
share-mode
classifier permit behavior permit
classifier pre-ap-deny behavior pre-ap-deny
classifier portal behavior portal
#
ip pool pre-ap bas local
gateway 172.20.254.254 255.255.0.0
section 0 172.20.0.1 172.20.254.253
dns-server 114.114.114.144       
#
ip pool pre-wifi bas local
gateway 172.30.0.1 255.255.252.0
section 0 172.30.0.2 172.30.3.254
dns-server 114.114.114.144
#
ip pool wifi bas local
gateway 10.1.0.1 255.255.252.0
section 0 10.1.0.2 10.1.3.254
dns-server 114.114.114.144
#
dot1x-template 1
#
aaa
http-redirect enable
local-user huawei password cipher 56ZIIZX=FP$;]DO9UKPI2Q!!
local-user huawei service-type telnet ssh
local-user huawei level 3
authentication-scheme default0
authentication-scheme default1
authentication-scheme default
  authentication-mode local radius
authentication-scheme none               
  authentication-mode none
authentication-scheme radius
authentication-scheme portal
#
authorization-scheme default
#
accounting-scheme default0
accounting-scheme default1
accounting-scheme none
  accounting-mode none
accounting-scheme radius
  accounting interim interval 3
  accounting send-update
  accounting interim-fail max-times 3 offline
accounting-scheme portal
#
domain default0
domain default1
domain default_admin
domain wifi
  authentication-scheme radius
  accounting-scheme radius
  ip-pool wifi                            
  radius-server group wifi
  user-group wifi
domain pre-wifi
  authentication-scheme none
  accounting-scheme none
  ip-pool pre-wifi
  user-group pre-wifi
domain pre-ap
  authentication-scheme default0
  accounting-scheme default0
  ip-pool pre-ap
  user-group pre-ap
  web-server 114.215.153.108
  web-server url http://114.215.153.108
  portal-server 114.215.153.108
  portal-server url http://114.215.153.108
domain ap
  authentication-scheme portal
  accounting-scheme portal
  radius-server group portal
  user-group ap
#
#                                         
multicastbandwidth
#
interface Aux0/0/1
link-protocol ppp
undo shutdown
#
interface Virtual-Template0
ppp authentication-mode auto
#
interface Virtual-Template1
ppp authentication-mode auto
ppp keepalive interval 50 retransmit 4
#
interface GigabitEthernet0/0/0
speed auto
duplex auto
undo shutdown
#
interface GigabitEthernet2/0/0
undo shutdown
#
interface GigabitEthernet2/0/1
undo shutdown                            
#
interface GigabitEthernet2/0/2
undo shutdown
#
interface GigabitEthernet2/0/3
undo shutdown
#
interface GigabitEthernet2/0/4
undo shutdown
#
interface GigabitEthernet2/0/5
undo shutdown
bas
#
  access-type layer2-subscriber default-domain pre-authentication pre-ap authentication ap
  authentication-method web
#
#
interface GigabitEthernet2/0/6
undo shutdown
#
interface GigabitEthernet2/0/7
undo shutdown                            
#
interface GigabitEthernet2/0/7.60
vlan-type dot1q 60
ip address 172.17.253.141 255.255.255.252
#
interface GigabitEthernet2/0/7.252
vlan-type dot1q 252
ip address 172.17.252.251 255.255.255.0
#
interface GigabitEthernet2/0/8
pppoe-server bind Virtual-Template 1
undo shutdown
bas
#
  access-type layer2-subscriber default-domain pre-authentication pre-wifi authentication force wifi
  authentication-method ppp web
#
#
interface GigabitEthernet2/0/9
undo shutdown
ip address 1.1.1.1 255.255.255.224
#
interface NULL0                           
#
interface LoopBack0
description For Management
#
interface LoopBack1
#
l2tp-group default-lac
#
l2tp-group default-lns
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
ip route-static 172.17.0.0 255.255.0.0 172.17.253.142
ip route-static 172.17.252.0 255.255.255.0 172.17.252.254
ip route-static 172.20.0.0 255.255.0.0 172.20.254.254
#
stelnet server enable
ssh user huawei
ssh user huawei authentication-type password
ssh user huawei service-type stelnet
#
traffic-policy xijing inbound
traffic-policy xijing outbound
#                                         
web-auth-server source interface GigabitEthernet2/0/7.60
web-auth-server version v2
web-auth-server 114.215.153.108 port 50100 key hello nas-ip-address
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode aaa
protocol inbound all
user-interface vty 16 20
#
multicast shaping
#
#
local-aaa-server
#
return

第三方PORTAL认证系统对接华为ME60实现微信认证、短信认证详细配置手册文档下载

ZhuoMai-Portal对接华为me60.docx

当前页面是本站的「Baidu MIP」版。发表评论请点击:完整版 »